Strava Publishes Heatmap, Inadvertently Exposes Military Sites

A report revealed that In November 2017, fitness tracking app Strava published a heatmap of its user activity that was composed of a billion activities, three trillion latitude/longitude points, 13 trillion rasterized pixels and 10 TB worth of input data. However, the fitness app could have also accidentally revealed the hidden locations of secret U.S. military bases, patrols, and forward operating bases (FOBs) .

Nathan Ruser, founding member of the Institute for United Conflict Analysts first revealed the information on Twitter. He noted that the data from Strava’s heatmap makes the U.S. bases “clearly identifiable and mappable.” Moreover, Ruser also identified a Russian operating area in Khmeimim, a Turkish patrol, Afghanistan FOBs, and soldier running routes. Ruser tweeted that the location of the bases is not the only concern here. The ability to establish “pattern of life” information makes the heatmap a serious source of risk because a lot of people are not keeping their information private.

According to Strava, users can set the privacy that is right for their individual needs. For instance, privacy zones can be added that hides the portion of an activity that starts or ends in a user’s zone (which could be at home or at the office) from other athletes. There is also an option to opt out of contributing anonymized public activity data.

However, not only can the heatmap reveal information such as location, it is also very possible to extract people’s names, profile pictures, and heart rates from Strava’s backend. The Heatmap is detailed enough that it can also pose a risk to individuals. European privacy researcher Lukasz Olejnik said that even if a privacy zone is set up, the dataset can still contain a level of personally identifiable information (PII) that should not have been published by Strava.

Strava’s publication of its heatmap shows that there are dangers with the growth of the Internet of Things (IoT). This is because the app automatically opts users into sharing their data on the heatmap, and must manually opt-out if they don't want to share any information. And while the app is a harmless fitness tracker, it can still pose a danger to people who use it, serving as a wake-up call to security and IT professionals. That said, there is a need for enterprises to enforce an IoT policy that accounts for devices used in connection with companies and not just the ones that handle “sensitive” data.

In 2019, the number of mobile phone users around the world is projected to exceed the five billion mark. As technology continues to improve the lives of many, there’s also a downside to this as cybercriminals change their methods to profit from the growing number of victims. One of the things that cybercriminals target is user data, which can include anything from credit card details and contact lists to email and account credentials.

To prevent cybercriminals from gaining access to your mobile device, it’s best to follow some of the following practices:

Regularly update the device's operating system and apps - New vulnerabilities are always discovered and vendors send out patches to their applications and software as soon as they are available. For iOS, users can check for system updates under Settings > General > Software Update. Android users can look for it under Settings > About > System update.

Use built-in security features - Improve your mobile security by using built-in anti-theft apps like Find My iPhone, which can help you locate your phone, track where it is and remotely erase data in case you cannot recover the device. Settings > Accounts & Passwords > iCloud > Find My iPhone.

Minimize location access - Apps and websites can gain location access and can get a user’s approximate location. When allowing location access for iOS devices, it is recommended to only select the While Using the App option instead of Always, as it prevents a malware-ridden app running in the background from stealing a device’s location information.

Other practices that you can do to secure your mobile device include avoiding unsecured Wi-Fi networks by turning off the automatic Wi-Fi connection feature on your smartphone or tablet, downloading apps only from trusted sources, setting mobile devices to automatically lock, and ensure that you have a strong passcode.

2018 MIDYEAR SECURITY ROUNDUP

A review of the first half of 2018 shows a threat landscape that not only has constant and familiar features but also has morphing and uncharted facets: Ever-present threats steadily grew while emerging ones used stealth. View the 2018 Midyear Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions